Is there a work around to separate addField constraint for pointer permission

[omar-bz]

may be you want take look at #4045.
because 4045 is inactive for a long time i opened a new one. it is critical, while a user in this case has privilege more then the admin it self, is there a work around this.

[flovilmart]

You can update the schema directly using the REST API. This is likely to be a limitation on the dashboard. Can you ping back if there’s an issue?

[omar-bz]

i don't understand how to change the schema directly, when i get '/schemas/Test' for some test class i created i get something like this for the CLP:

"classLevelPermissions": {
        "find": {
            "requiresAuthentication": true,
            "*": true
        },
        "get": {
            "*": true
        },
        "create": {
            "requiresAuthentication": true
        },
        "update": {},
        "delete": {},
        "addField": {},
        "readUserFields": [
            "user"
        ],
        "writeUserFields": [
            "user"
        ]
    }

the user pointer has the hole write privilege specified with 'writeUserFields' and when i try 'addFieldUserFields' instead of 'writeUserFields' it gives an error.
Can you please help me with this

[flovilmart]

It should probably be in addField I'll have a look

[omar-bz]

when put :

{
"classLevelPermissions": {
        "find": {
            "requiresAuthentication": true,
            "*": true
        },
        "get": {
            "*": true
        },
        "create": {
            "requiresAuthentication": true
        },
        "update": {},
        "delete": {},
        "addField": {
           "user":true
        }
    }
}

it gives:

{
    "code": 107,
    "error": "'user' is not a valid key for class level permissions"
}

[flovilmart]

Ok thanks!

[jaalzateolaya]

+1

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[sunshineo]

@flovilmart I don't think it is a limitation for the dashboard. When I look at the database I see this

It seems to be saved separately. So the workaround would be have some cloud function code save specific user permission for each object beforeSave. I'm not sure yet, I'll be trying it.

[flovilmart]

It need to be implemented on the server as for now, pointer Permissions are blanket par missions for read or write, and don’t offer granular control over each detailed permission.

[sunshineo]

@bouzoumita The workaround I imagined does not work exactly for some reason. When I have object level permission like this set by code:

And have class level like this

It does not work. Got error

"Permission denied for action update on class Comment."

So sadly, if your registered user decides to attack you, they can add many many fields to their own object and cause who knows what issue. @flovilmart any thoughts?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.